Can port 1099 be blocked on the CA Data Aggregator and CA Data Collector servers
book
Article ID: 109948
calendar_today
Updated On:
Products
CA Infrastructure ManagementCA Performance Management - Usage and Administration
Issue/Introduction
Insecure JMX RMI Adapter Configurations were found to have a JMX RMI adapter exposed on TCP port 1099 without authentication being required.
This was identified on the CA Data Aggregator (DA) and CA Data Collector (DC) servers in a production environment.
This allowed successful connections to several of these JMX RMI adapters. It also allowed the load of a malicious mBean which permitted remote command execution.
How can this be resolved to secure the system from intrusion and malicious activity?
Environment
All supported CA Performance Management releases
Resolution
The DA and DC servers use port 1099 (DA/DC services) and port 11099 (AMQ service) for JVM monitoring.
Self Monitoring connects to the JMX to gather data. The DA and DC servers must be able to connect to their own 1099 and 11099 ports.
Server administrators can block outside access to the 1099 and 11099 ports. That way only being on the box will allow connection to the JVMs via JMX RMI.
Any other limitations on those ports would break the CA Performance Management Self Monitoring functionality.